Smartphone technology has been advancing in leaps and bounds, but often at the expense of security and privacy.
It is well known that advertising networks want user profiles so they can sell personalized advertisements, and we uncovered one way in which they might get this from your phone without you realizing.
App developers typically build in an advertising library from a network at compilation time, which means that the advertising code runs within the same process and privilege boundaries as the host application. We showed that advertising networks can leverage those inherent privileges to accurately profile the device’s user, without their knowledge or consent.
Side channels are paths to information that are seemingly harmless, but that can be combined in creative ways to perform a malicious task. For example, just by looking at the length of the network packets — a type of data — sent and received from the Twitter app, we showed how a malicious app can uncover the identity of the device owner. You can see this in action in the below video.
Getting access to a particular individual’s phone is probably more interesting if they are high profile, like a politician or celebrity, where stolen data could be used as a tool for blackmail or extortion. In fact, ransomware is one of the biggest threats in the smartphone world.
Employees of a company might also be targeted by competitor businesses trying to get access to intellectual property secrets.
Groups might be targeted to sell user data to third parties such as advertising firms. Data might also be interesting for insurance firms or banks that could use it to set risk scores.
In terms of security, there are a number of good practices that contribute to what we call ‘cyber security hygiene’, most of which are common sense and done by people without thinking about it. Here are my top 10 tips:
- Always use a password or biometric authentication for unlocking your phone.
- Only install apps from a trusted developer on an official market.
- Think before granting an app permissions. Does a flashlight really need to know your device’s location?
- Consider revoking critical permissions when apps are not using them.
- Disable Bluetooth and location services when not needed.
- Never use a ‘jailbroken’ or ‘rooted’ phone – this essentially disables security against third-party apps accessing privileged operations.
- Use two-factor authentication when available.
- Get an antivirus app.
- Don’t perform financial, medical or business tasks using the smartphone when connected to a public network. If you have to, then get a VPN.
- Always apply software upgrades as soon as possible – these often carry security updates.
These are general guidelines that can help keeping our phones and private data secure. It might seem like a long list but I think is a matter of mentality which should be engraved in the new generation, since mobile devices are the way we handle all our data. We should have coordinated efforts to raise cybersecurity hygiene awareness, both nationally and internationally.